---
id: oauth2-public-spa-mobile
title: Mobile & Browser (Single-Page-App) with OAuth2
---

We have an
[excellent blog post](https://www.ory.sh/oauth2-for-mobile-app-spa-browser) on
this topic. Read it now!

### Creating a public OAuth 2.0 Client

You can create a public OAuth 2.0 Client (e.g. for the authorize code + PKCE or
implicit flow) with the CLI

```
hydra clients create --endpoint http://ory-hydra-admin-api --token-endpoint-auth-method none
```

or by setting in the HTTP API JSON body when POSTing to `/clients`:

```
{
  "client_id": "...",
  "token_endpoint_auth_method": "none"
}
```

Be aware that when making requests to `/oauth2/token` or `/oauth2/revoke` with a
public OAuth 2.0 Client, you cannot authenticate with the HTTP Basic
Authorization but must include the `client_id` in the POST body:

```
POST /oauth2/token
...

client_id=...&
  ...
```

:::note

The public clients using a non-https redirect scheme cannot skip consent as per
OpenID Sepcification & Certification.

:::
